Add debugging for user sessions and authentication.

README.md

@@ -101,7 +101,8 @@ Optional:
    
 * `SITE_NAME` (default: *LDAP user manager*):  Change this to replace the title in the menu.  e.g. "My Company"
 
-* `LDAP_DEBUG` (default: *FALSE*): Set to TRUE to increase the logging level.  This will output passwords to the error log - don't enable this in a production environment.
+* `LDAP_DEBUG` (default: *FALSE*): Set to TRUE to increase the logging level for LDAP connections.  This will output passwords to the error log - don't enable this in a production environment.
+* `SESSION_DEBUG` (default: *FALSE*): Set to TRUE to increase the logging level for sessions and user authorisation.  This will output cookie passkeys to the error log - don't enable this in a production environment.
 
 Webserver SSL setup
 ---

www/includes/config.inc.php

@@ -32,6 +32,7 @@
  #We'll use the username regex for groups too.
 
  $LDAP_DEBUG = ((strcasecmp(getenv('LDAP_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
+ $SESSION_DEBUG = ((strcasecmp(getenv('SESSION_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
 
  ###
 

www/includes/web_functions.inc.php

@@ -40,7 +40,7 @@ function set_passkey_cookie($user_id,$is_admin) {
 
  # Create a random value, store it locally and set it in a cookie.
 
- global $LOGIN_TIMEOUT_MINS, $VALIDATED, $USER_ID, $IS_ADMIN;
+ global $LOGIN_TIMEOUT_MINS, $VALIDATED, $USER_ID, $IS_ADMIN, $SESSION_DEBUG;
 
 
  $passkey = generate_passkey();
@@ -54,7 +54,7 @@ function set_passkey_cookie($user_id,$is_admin) {
  $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
  file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time");
  setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
-
+ if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); }
  $VALIDATED = TRUE;
 
 }
@@ -64,7 +64,7 @@ function set_passkey_cookie($user_id,$is_admin) {
 
 function validate_passkey_cookie() {
 
- global $LOGIN_TIMEOUT_MINS, $IS_ADMIN, $USER_ID, $VALIDATED;
+ global $LOGIN_TIMEOUT_MINS, $IS_ADMIN, $USER_ID, $VALIDATED, $SESSION_DEBUG;
 
  if (isset($_COOKIE['orf_cookie'])) {
 
@@ -75,6 +75,7 @@ function validate_passkey_cookie() {
    $VALIDATED = FALSE;
    unset($USER_ID);
    $IS_ADMIN = FALSE;
+   if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Session: orf_cookie was sent by the client but the session file wasn't found at /tmp/$filename",0); }
   }
   else {
    list($f_passkey,$f_is_admin,$f_time) = explode(":",$session_file);
@@ -83,10 +84,23 @@ function validate_passkey_cookie() {
     if ($f_is_admin == 1) { $IS_ADMIN = TRUE; }
     $VALIDATED = TRUE;
     $USER_ID=$user_id;
+    if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Setup session: Cookie and session file values match for user ${user_id} - VALIDATED (ADMIN = ${IS_ADMIN})",0); }
     set_passkey_cookie($USER_ID,$IS_ADMIN);
    }
+   elseif ( $SESSION_DEBUG == TRUE ) {
+     $this_error="$log_prefix Session: orf_cookie was sent by the client and the session file was found at /tmp/$filename, but";
+     if ($this_time < $f_time+(60 * $LOGIN_TIMEOUT_MINS)) { $this_error .= " the timestamp was older than the login timeout ($LOGIN_TIMEOUT_MINS);"; }
+     if (empty($c_passkey)) { $this_error .= " the cookie passkey wasn't set;"; }
+     if ($c_passkey != $f_passkey) { $this_error .= " the session file passkey didn't match the cookie passkey;"; }
+     $this_error += " Cookie: ${_COOKIE['orf_cookie']} - Session file contents: $session_file";
+     error_log($this_error,0);
+   }
   }
  }
+ elseif ( $SESSION_DEBUG == TRUE) {
+   error_log("$log_prefix Session: orf_cookie wasn't sent by the client.",0);
+ }
+
 }
 
 
@@ -96,7 +110,7 @@ function set_setup_cookie() {
 
  # Create a random value, store it locally and set it in a cookie.
 
- global $LOGIN_TIMEOUT_MINS, $IS_SETUP_ADMIN;
+ global $LOGIN_TIMEOUT_MINS, $IS_SETUP_ADMIN, $SESSION_DEBUG;
 
  $passkey = generate_passkey();
  $this_time=time();
@@ -105,6 +119,7 @@ function set_setup_cookie() {
 
  file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
  setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
+ if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Setup session: sent setup_cookie to the client.",0); }
 
 }
 
@@ -113,7 +128,7 @@ function set_setup_cookie() {
 
 function validate_setup_cookie() {
 
- global $LOGIN_TIMEOUT_MINS, $IS_SETUP_ADMIN;
+ global $LOGIN_TIMEOUT_MINS, $IS_SETUP_ADMIN, $SESSION_DEBUG;
 
  if (isset($_COOKIE['setup_cookie'])) {
 
@@ -121,14 +136,26 @@ function validate_setup_cookie() {
   $session_file = file_get_contents("/tmp/ldap_setup");
   if (!$session_file) {
    $IS_SETUP_ADMIN = FALSE;
+   if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Setup session: setup_cookie was sent by the client but the session file wasn't found at /tmp/ldap_setup",0); }
   }
   list($f_passkey,$f_time) = explode(":",$session_file);
   $this_time=time();
   if (!empty($c_passkey) and $f_passkey == $c_passkey and $this_time < $f_time+(60 * $LOGIN_TIMEOUT_MINS)) {
    $IS_SETUP_ADMIN = TRUE;
+   if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Setup session: Cookie and session file values match - VALIDATED ",0); }
    set_setup_cookie();
   }
-
+  elseif ( $SESSION_DEBUG == TRUE) {
+   $this_error="$log_prefix Setup session: setup_cookie was sent by the client and the session file was found at /tmp/ldap_setup, but";
+   if ($this_time < $f_time+(60 * $LOGIN_TIMEOUT_MINS)) { $this_error .= " the timestamp was older than the login timeout ($LOGIN_TIMEOUT_MINS);"; }
+   if (empty($c_passkey)) { $this_error .= " the cookie passkey wasn't set;"; }
+   if ($c_passkey != $f_passkey) { $this_error .= " the session file passkey didn't match the cookie passkey;"; }
+   $this_error += " Cookie: ${_COOKIE['setup_cookie']} - Session file contents: $session_file";
+   error_log($this_error,0);
+  }
+ }
+ elseif ( $SESSION_DEBUG == TRUE) {
+   error_log("$log_prefix Session: setup_cookie wasn't sent by the client.",0);
  }
 
 }
@@ -251,7 +278,7 @@ function render_footer() {
 
 function set_page_access($level) {
 
- global $IS_ADMIN, $IS_SETUP_ADMIN, $VALIDATED;
+ global $IS_ADMIN, $IS_SETUP_ADMIN, $VALIDATED, $SESSION_DEBUG;
 
  #Set the security level needed to view a page.
  #This should be one of the first pieces of code
@@ -264,6 +291,7 @@ function set_page_access($level) {
   }
   else {
    header("Location: //" . $_SERVER["HTTP_HOST"] . "/setup/index.php?unauthorised\n\n");
+   if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Session: UNAUTHORISED: page security level is 'setup' but IS_SETUP_ADMIN isn't TRUE",0); }
    exit(0);
   }
  }
@@ -274,6 +302,7 @@ function set_page_access($level) {
   }
   else {
    header("Location: //" . $_SERVER["HTTP_HOST"] . "/index.php?unauthorised\n\n");
+   if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Session: UNAUTHORISED: page security level is 'admin' but IS_ADMIN = '${IS_ADMIN}' and VALIDATED = '${VALIDATED}' (user) ",0); }
    exit(0);
   }
  }
@@ -284,6 +313,7 @@ function set_page_access($level) {
   }
   else {
    header("Location: //" . $_SERVER["HTTP_HOST"] . "/index.php?unauthorised\n\n");
+   if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Session: UNAUTHORISED: page security level is 'user' but VALIDATED = '${VALIDATED}'",0); }
    exit(0);
   }
  }